66% or better

Reverse engineering shopping cart security

All this talk about 555 timers is causing projects to pop out of the woodwork like this one that reverse engineers a shopping cart security mechanism. The wheel seen above listens for a particular magnetic signal and when encountered it locks down the yellow cowl, preventing the wheel from touching the ground and making the cart very hard to move.

[Nolan Blender] acquired one of these wheels for testing purposes and he’s posted some details about the hardware inside. But the first thing he did was to put together some test equipment to help find out details about the signal that trips the mechanism. He connected a coil to an audio amplifier and walked around the market looking for strong signals. Once he found a few strong bursts with that equipment he grabbed an oscilloscope, hooked it to the coil, and made some measurements. He found an 8 kHz signal at a 50% duty cycle at 30 ms intervals (it would be hard to make a better case for why you need an oscilloscope).

With the specs in hand, [Nolan] grabbed two 555 timers, an audio amplifier, and a 200 turn antenna around a ferrite core to build his own locking mechanism. If you’re ever stopped short in the middle of the market, just look for the hacker at the end of the aisle holding the homemade electronics.

[Photo source]

[Thanks Colin]

Comments

  1. Mohonri says:

    I seem to remember a similar story a few years back. The hacker in question actually built his antenna into his clothing, and walked around Target, pressing a button occasionally when standing near another customer. I don’t remember whether he ever got caught.

    What I’d like to see next is the reverse–a way to unstick a stuck shopping cart.

  2. ptr_ says:

    i remember a great lightingtalk at 25C3 by some of the paris’ /tmp/lab — they managed to lock/unlock the cart’s wheel, just by replaying specially crafted mp3′s on your everyday cellphone.

    http://www.tmplab.org/2008/06/18/consumer-b-gone/

  3. MrTaco says:

    Keep pushing it around until the cover grinds away and you get back to wheel again.

  4. llamafur says:

    Uh, I think this is a repost.

  5. ArtForz says:

    @Mohonri
    Didn’t RTFA? It clearly explains that unlocking is accomplished by sending a continous 8kHz signal.

  6. sneakypoo says:

    @Mohonri: Read the linked article, it goes over both locking and unlocking. If it still applies is another story (this paper is from 2000).

  7. pascal says:

    That’s interesting. I would have guessed that the unlocking signal would be more complex than the locking signal…

  8. Bill says:

    Why would the unlocking be more complex than locking? The average shopping cart thief doesn’t even know what an 8kHz signal is, much less have the ability to generate one.

  9. RuthLessPirate says:

    Bubbles isn’t going to like this…

  10. Gdogg says:

    very cool. I wonder how universal that signal is. I know at my local grocery store the lock mechanism is different (It locks internally, so the wheel technically never loses contact with the ground). I would love to be able to lock them for fun :P

  11. Vinh Vu says:

    There are shopping cart thieves???

  12. mike bradley says:

    Just curious, no one asked why he was walking around with an osciliscope? There is a whole foods near my office, they lock at the end of the driveway, I can atleast sit in my car

  13. strider_mt2k says:

    Bubbles?

    As in Bubbles of Austin TX. Bubbles?

    He’s the only Bubbles I know of that is connected to shopping carts.

  14. Knappster says:

    Shopping cart locking has been done to death now. In the UK nearly all the shopping cart locking systems are simply magnetic strips sunk into the ground. No fancy locking/unlocking codes here but it does mean that all you need is a magnet to set them off. It’s harder to trigger from a distance though.

  15. synth says:

    “He found an 8 kHz signal at a 50% duty cycle at 30 ms intervals (it would be hard to make a better case for why you need an oscilloscope).” — Mike Szczys

    derp, you don’t need a scope for that.
    you can measure that with a decent multimeter.

  16. Whatnot says:

    Or you can record it with an audiorecorder and just run it through any audio analyzing software, 8KHz is easy to capture.
    I think some of the first people that hacked it did it that way.

  17. superlopez says:

    Bubbles can rest easy not seem to have shopping carts like those in Baltimore

  18. caleb says:

    @ruthlesspirate
    thats what i was thinking. perhaps he stole too many?

    @strider
    Bubbles is a charactor from a Canadian television show called Trailer Park Boys.

    “kitties arent supposed to smell like cigerettes”

  19. Agent420 says:

    FTA: “The system can be defeated, however it is unlikely that the kind of person that steals shopping carts would be inclined to develop an unlocking transmitter”

    … with the exception of the author, I assume ;-)

    Once while living in an urban center, there were so many abandoned ‘stolen’ carts left in front of my residence that I decorated them with xmas lights during the holidays (apparently individuals hired to retrieve them did not care for those carts left mangled, embedded within snow banks by the plows).

  20. medwardl says:

    I wonder a transmitter could be built small enough to fit in a backpack yet strong enough to broadcast the locking signal throughout the entire store in one shot.

  21. poiso says:

    @Mohonri I am pretty sure that I read the same article, trying to remember where tho

  22. The Steven says:

    Reminds me of a time years back I made a “TV Jammer” from a kit, and hung out in the TV department of the competition…

    http://2.bp.blogspot.com/_JLelwWSHq1A/THeUHewrqLI/AAAAAAAAACY/8yNeEi5GiuU/s1600/tv-and-fm-jammer-schematic-using-2n2222.jpg

  23. sam says:

    I think 8 Hz is the frequency the security alarms on the doors use. At least that was the case at a Walgreens I worked at. I guess the shopping cart security system is a 1000 times more awesome.

  24. Frogz says:

    fairly sure this is a repost(well, not a repost but the same thing has been posted before on hackaday

    various versions such as http://www.instructables.com/id/EMP-shopping-cart-locker/
    the cheap version, http://www.instructables.com/id/Shopping-Cart-Locker-THE-EASY-WAY-Improved-Range/ record the sound with a coil/audio input
    and you can view exactly what its doing on any audio editor
    play it back through a amp, works almost as good as a dedicated circuit!

  25. Justin Case says:

    friend found some shop lifting tags in the parking lot of our mall. they had sirens built in and were sounding, they had been cut off something.
    they had texas instruments MSP430-F2001 processors, a 58khz tuned coil, battery, peizo, 2 switches, led, smt parts. They used a spring loaded pin to lock the device. Magnet to unlock.
    Case is glued closed.

    As the controller is likely locked, desoldering to try to read will likely be pointless.
    What should my friend do with these?
    Strip it and toss the rest?

  26. Justin Case says:

    oh yes, they transmit around 700khz, and 52mhz, very wide band.

  27. Jack Durban says:

    I invented this technology back in the mid 90′s. If you look up my name in the patent office you will see my patents. This particular model is a copy cat of my original product for Gatekeeper systems. Carttronics just copied much of the design except the goofy shovel like brake. The references to the 8khz locking signal were half right. The carrier is digitally encoded at at a low data rate. The carrier frequency was chosen to be under FCC part 15 regs. I also created the PURCHEK anti roll-out technology.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s